Trusting HTTP Permission Methods on the Server Side
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-650: Trusting HTTP Permission Methods on the Server Side |
| OWASP | A04:2021 - Insecure Design |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The code checks only for GET requests using request.get?, but in Rails, HEAD requests are routed as GET and will not pass this check. This can lead to unexpected or incorrect behavior if HEAD requests aren’t properly handled.
Impact#
Attackers may exploit this oversight to bypass certain logic or access routes in unintended ways, potentially exposing sensitive information or causing the application to behave unpredictably under HEAD requests. This can result in data leakage or functionality misuse.